Archive for the ‘fortigate’ Category

Define Bandwidth to which traffic should be limited

Policy & Objects-Create New

2.PNG

Define max bandwith

 

4.PNG

 

Create Shaping policy

Policy & Objects-Traffic shaping policy

Source:LAN

Destination:all

In this example i limited bandwidth only for YouTube app so under Application i selected YouTube. Because i didn’t enable Application control in outgoing IPv4 policy i got warning

Outgoing interface:WAN interface

Shared Shaper:specify Traffic Shaper

Reverse Shaper: specify Traffic Shaper

Shared Shapers affect upload speeds and reverse shapers affect download speeds

5.PNG

Creating Outgoing IPv4 policy

Enable Application control edit policy

6.PNG

Select Social Media-Allow

 

7.PNG

If you try opening YouTube it will hang on “Loading”

8.PNG

Facebook, for example, opens without errors

9.PNG

We can see Shaping policy applied:

FortiView-Traffic Shaping

10.PNG

Advertisements

Hair-pinning (NAT loopback) is the technique where a machine accesses another machine on the LAN via an external network.

Traffic goes through LAN interface to the Internet,traffic then goes back to the same interface,connecting to it’s External IP. Traffic is then forwarded by Fortigate through virtual IP to local destination.

In this example, windows machine on LAN network hosts web server.From LAN machines, it can only be accessed by internal IP. If trying accessing Web server by public  IP (from machines on local network, it will fail

1.PNG

Create Virtual IP which will map Public IP to local IP of Web Server

Policy & Objects-Create new-Virtual IP

External IP range:Public IP

Mapped address range:Web Server local IP

Enable port forwarding

External Service port:Port from which traffic will be mapped

Map to port:Port to which traffic will be mapped

In this case traffic from Public IP on port 80 will be forwarded to same port on internal address

2.PNG

 

Creating IPV4 policy

Incoming and outgoing Interface:LAN interface

Source:all

destination:Virtual IP created in previous step

NAT disabled

 

3.PNG

Now, from machines on LAN, web site should be accessible using Public IP

4.PNG

After Fortigate is installed in AWS , by default, EC2 instances behind Fortigate cannot get to the internet.We need to set default route on Fortigate firewall.

Locating AWS VPC defult gateway

Amazon VPC has default gateway which usually has 1 as in last octet, to locate it click Network-Interfaces-click on WAN interface-Edit

2.PNG

 

3.png

 

Now create static route

 

Network-Static route-Create New

 

1.png

Specify 0.0.0.0/0.0.0.0 as destination

Gateway: IP defined in previous step

Interface:Fortigate internet faced interface

Administrative distance: it’s route metric, in my case,the highest value i could set was 4

 

4

 

Creating outgoing Policy 

Now we need to create outgoing policy from LAN network to the Internet

First,create Address object for defying LAN network:

Policy & Objects-Addresses-New-Create New Address

Type:Subnet

Interface:Any

 

6.PNG

Now create outgoing route in Fortigate

Incoming Interface: LAN interface

Outgoing interface:WAN

Source:LAN subnet

Destination:all

Service:All

Enable NAT in Firewall/Network options

5.PNG

Now, you should be able to browse internet from EC2 instance behind Fortigate firewall

In this example Site to Site VPN between 2 Fortigate Firewalls will be created.I simulated 2 different locations using different AWS regions

 

0.PNG

 

Ireland Fortigate Setup

VPN-IPsec Tunnels-Create New

 

1.PNG

click custom

 

2.PNG

For remote gateway specify Frankfurt Fortigate FW public IP, public facing interface

method (pre-shared key),Phase 1 encryption, DH groups, local and remote network

 

3.PNG

Phase 2 authentication

 

4.PNG

 

Now create 2 IPv4 Policies:

1.To allow outgoing traffic (from local-192.168.10.0/24 to remote network (172.31.110.0/24) specified in VPN settings

2.To allow incoming traffic (from remote-172.31.110.0/24 to local-192.168.10.0/24)

I created 2 Address objects:LAN (for local network and Remote (for remote network)

Policy & Objects-Addresses-New Address

Type:subnet

Interface:Any

Creating Incoming IPV Policy (from remote to local)

Incoming interface:VPN interface

Outgoing interface:LAN insterface

Source:Remote newtork

Destination:Local network

disable nat

 

5.PNG

 

Outgoing IPv4 Policy (from local to remote network)

Incoming interface:Lan interface

Outgoing interface:VPN interface

Source:LAN network

Destination:Remote network

Disable NAT

6.PNG

 

Creating static route

Now we need to create route to remote network (172.31.110.0/24) through VPN interface

Network-Static routes-Destination

Subnet-specify subnet

Interface:VPN interface

7.PNG

 

Creating VPN connection from Frankfurt Fortigate

 

Now we need to create exactly same configuration from other side (Frankfurt Firewall).Only difference is remote peer IP and local and remote network.

-create VPN tunnel

-create incoming IP policy

-create outgoing IP policy

-create static route

 

Creating VPN tunnel

8.PNG

Local network:172.31.110.0/24

Remote network:192.168.10.0/24

 

Incoming policy

 

9.PNG

 

10.PNG

and static route to 192.168.10.0/24 through VPN interface

Now VPN conencttion should be operational

 

11.PNG

 

 

Blocking web pages in Fortigate

Posted: August 2, 2018 in fortigate

In one of previous posts we configured Proxy policy to allow all traffic in this one we’ll see how to block all social media sites or just some of them.

Security Profiles-Application Control-Social Media-Block (all social media sites will be forbidden

1.PNG

Or under same section click web filter-Enable URL filter-Wildcard-type site name with asterix as prefix (to block all subdomains)-Block

 

2.png

Under Policy & Objects Enable Web Filter or Application control and depending if default policy is modified or new one is created,from drop-down menu specify correct one

 

3.png

Site(s) should be blocked

5.PNG

In this example we’ll configure port forwarding for web site so that call to IP:8080 will be redirected to port 80 and forwarder to Windows Web Server behind Fortigate Firewall

 

3.PNG

 

I created custom VPC,created Internet Gateway (info how to create custom VPC can be found here)

Creating Fortigate “public” route

Create Route table for Fortigate “public” network, route all traffic to Internet Gateway-associate “public” subnet (192.168.10.0)

0.PNG

 

0-1.PNG

 

Creating route for “private” network

Router all traffic from “private” network (192.168.30.0) to “internal” Fortigate interface

 

0-2.PNG

 

0-3.PNG

 

Disable source-destination check on both Fortigate interfaces.

0-4.png

 

Click on interface to locate interface ID

0-5

In AWS instance go to Network Interfaces ,select interface from Action menu select Change Source/Dest/Check

 

0-6

Select Disabled

 

0-7.PNG

 

Now login to Fortigate-Policy & Objects-Virtual IPs-create new-Virtual IP

0-8.png

Mapped IP address is address of Windows Web Server

 

0.PNG

 

Now create Incoming policy

Incoming interface:External interface

Outgoing Interface:Internal interface

Destination:Virtual IP

 

0-1

 

2.PNG

 

1.PNG

Fortigate Explicit Web Proxy

Posted: July 29, 2018 in fortigate

System-Feature Visibility-Turn on Explicit proxy

 

2.png

 

System-Settings-Inspection Mode-Proxy

1.PNG

Go to internal interface-enable Explicit Web Proxy

3

 

If you want to change default proxy port:

Network-Explicit Proxy-Under HTTP port change port number

 

4.PNG

Policy & Objects-Proxy Policy

Type:Explicit web

Outgoing interface:Internet facing interface

Source:Internal addresses (LAN in my case)

Destination:All

Service:webproxy

 

5.PNG

Set proxy address in your browser

6.PNG

Now you should be able browsing the internet